utcc.utoronto.ca utcc.utoronto.ca

Linux Certificate Authority root stores have a too simple view of 'trust'

Let's start with the background. Pretty much every Linux system (really, every Unix system) has a 'system CA root store', by which we mean 'the list of all CA root certificates that are trusted by default by most TLS-using software'. For various sensible reasons, many Linux distributions reuse Mozilla's CA root store for their system root store, possibly with some tweaks. The recent TLS news is that Mozilla (and Microsoft) are...